Alexander Nikolaj

**Name of the Vulnerable Software and Affected Versions** BullWall Ransomware Containment versions 4.6.0.0 through 4.6.1.4 **Description** BullWall Ransomware Containment does not fully inspect files to identify ransomware. An attacker with valid credentials can bypass detection by encrypting a file while leaving the initial four bytes unchanged. This allows malicious files to potentially remain undetected. **Recommendations** Update to a version beyond 4.6.1.4.

**Name of the Vulnerable Software and Affected Versions** BullWall Ransomware Containment versions 4.6.0.0 through 4.6.1.4 **Description** BullWall Ransomware Containment does not monitor certain file paths, such as `$recycle.bin`. An attacker with file write permissions could bypass detection by renaming a directory. **Recommendations** BullWall Ransomware Containment version 4.6.0.0: Implement stricter file monitoring to include previously excluded paths. BullWall Ransomware Containment version 4.6.0.6: Implement stricter file monitoring to include previously excluded paths. BullWall Ransomware Containment version 4.6.0.7: Implement stricter file monitoring to include previously excluded paths. BullWall Ransomware Containment version 4.6.1.4: Implement stricter file monitoring to include previously excluded paths.

**Name of the Vulnerable Software and Affected Versions** BullWall Ransomware Containment versions 4.6.0.0 through 4.6.1.4 **Description** BullWall Ransomware Containment’s detection mechanism, which relies on the number of file modifications, can be bypassed by an authenticated attacker. An attacker could encrypt a single large file without triggering a detection alert. **Recommendations** Update to a version newer than 4.6.1.4.

**Name of the Vulnerable Software and Affected Versions** BullWall Server Intrusion Protection versions 4.6.0.0 through 4.6.1.4 **Description** BullWall Server Intrusion Protection exhibits a delay before Multi-Factor Authentication (MFA) is checked when connecting via Remote Desktop Protocol (RDP). A remote attacker with administrative privileges may be able to bypass detection during this delay. **Recommendations** Versions 4.6.0.0 through 4.6.1.4 should be updated. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BullWall versions 4.6.0.0 through 4.6.1.4 **Description** BullWall Server Intrusion Protection services start after login services. An attacker who is already authenticated and has administrative privileges can log in following a system boot, bypassing Multi-Factor Authentication (MFA). The Session Initiation Protocol (SIP) service does not enforce authentication challenges retroactively, nor does it disconnect unauthenticated sessions. **Recommendations** Versions prior to 4.6.0.0 and versions after 4.6.1.4 should be investigated for potential impact. Ensure that the BullWall Server Intrusion Protection services are initialized before login services. Verify that the SIP service enforces authentication challenges retroactively and disconnects unauthenticated sessions.